Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: 3COM TFTPD Overflow: SEH Overwrite

3COM TFTPD Overflow: SEH Overwrite

From: <jeremy.junginger_at_gmail.com>
Date: 25 Jan 2008 14:58:43 -0000
('binary' encoding is not supported, stored as-is) I'm attempting to exploit an already known bug in 3COM TFTPD server, and execute "calc.exe" with my shellcode. I have control of ECX/EIP, and can overwrite both SEH and pointer to next SEH successfully, and have used:

Pointer to next SEH: \xeb\x10\x90\x90
SEH: \x69\x12\xab\x71 (POP/POP/RET in ws2_32.dll)

A full writeup with screenshots is available at:
http://filebin.ca/pmuwqm/SEHOverwrite.rtf

I'm getting "Debugged program was unable to process exception", so I hit shift+f9 (in olly) and it terminates with some strange exit code. Could you take a peek and see what I'm missing here?

Thanks guys!

-jj
Received on Jan 25 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos